Rotate a subscription's signing secret - Mage Loyalty Documentation

curl --request POST \
  --url https://api.mageloyalty.com/v1/webhook-subscriptions/whsub_abc123/rotate-secret \
  --header 'Authorization: <api-key>'

{
  "data": {
    "type": "webhook_subscription",
    "id": "whsub_abc123",
    "attributes": {
      "url": "https://example.com/webhooks/mage",
      "events": ["points.earned", "customer.tier_upgrade"],
      "is_active": true,
      "description": "Production points + tier sync",
      "secret": "1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b",
      "created_at": "2024-01-01T00:00:00.000Z",
      "updated_at": "2024-01-03T00:00:00.000Z"
    }
  }
}

POST

webhook-subscriptions

{id}

rotate-secret

curl --request POST \
  --url https://api.mageloyalty.com/v1/webhook-subscriptions/whsub_abc123/rotate-secret \
  --header 'Authorization: <api-key>'

{
  "data": {
    "type": "webhook_subscription",
    "id": "whsub_abc123",
    "attributes": {
      "url": "https://example.com/webhooks/mage",
      "events": ["points.earned", "customer.tier_upgrade"],
      "is_active": true,
      "description": "Production points + tier sync",
      "secret": "1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b",
      "created_at": "2024-01-01T00:00:00.000Z",
      "updated_at": "2024-01-03T00:00:00.000Z"
    }
  }
}

Issue a new signing secret for a webhook subscription. The previous secret is invalidated immediately, so any deliveries signed after rotation use the new secret. Use this if a secret may have been exposed, or if you lost the original.

The new secret is returned only in this response. It is shown once and never again. Store it securely before you finish handling the response. The old secret stops working as soon as rotation completes, so update your endpoint to verify with the new secret. See Verifying webhook signatures.

Path parameters

Parameter	Type	Description
`id`	string	The webhook subscription ID

Response

Returns 200 OK with the subscription, including the new secret.

Errors

Status	Scenario
`401`	Missing or invalid API key
`403`	The API key is read-only and cannot perform write operations
`404`	No subscription with this ID exists for the shop
`429`	Rate limit exceeded (6 requests/second)

curl --request POST \
  --url https://api.mageloyalty.com/v1/webhook-subscriptions/whsub_abc123/rotate-secret \
  --header 'Authorization: <api-key>'

{
  "data": {
    "type": "webhook_subscription",
    "id": "whsub_abc123",
    "attributes": {
      "url": "https://example.com/webhooks/mage",
      "events": ["points.earned", "customer.tier_upgrade"],
      "is_active": true,
      "description": "Production points + tier sync",
      "secret": "1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b",
      "created_at": "2024-01-01T00:00:00.000Z",
      "updated_at": "2024-01-03T00:00:00.000Z"
    }
  }
}

Delete a webhook subscription List delivery logs

​Path parameters

​Response

​Errors

Path parameters

Response

Errors